Solved: VPN Purgatory

jmmeisner · ‎11-22-2013

I almost hate to ask this seemingly simple question, but I've been researching online for about three days and trying different configurations to connect my main office to a sattelite office via VPN.

In the main office, we have a slightly older router, a 2821 running Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 15.1(4)M1,

RELEASE SOFTWARE (fc1).

The sattelite office, a 3825 running Cisco IOS Software, 3800 Software (C3825-ADVSECURITYK9-M), Version 15.1(4)M5, RE

LEASE SOFTWARE (fc1).

The configuration that I'm adding to the routers is as follows:

Main office:

crypto isakmp policy 10

hash sha

authentication pre-share

crypto isakmp key vpnkey address [satellite office WAN IP]

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

crypto map vpnset 10 ipsec-isakmp

set transform-set vpnset

match address 175

set peer [satellite office WAN IP]

int gigabiteeth0/0

crypto map vpnset

access-list 175 ip permit [Main office LAN] 0.0.0.255 [Satellite office LAN] 0.0.0.255

-----------------

Sattelite office:

crypto isakmp policy 10

hash sha

authentication pre-share

crypto isakmp key vpnkey address [main office WAN IP]

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

crypto map vpnset 10 ipsec-isakmp

set transform-set vpnset

match address 175

set peer [main office WAN IP]

int gigabiteeth0/0

crypto map vpnset

access-list 175 permit [Satellite office LAN] 0.0.0.255 [Main office LAN] 0.0.0.255

----------------------

I'm struggling pretty hard with this, and it seems like a pretty simple function of these routers. Maybe I'm trying to do this wrong, but it seems straightforward. I would sure appreciate any help with this. I've scoured the internet and tried this four or five slightly different ways.

THANKS!

Karsten Iwen · ‎11-26-2013

If you WAN-interface is a physical interface and not a logical dialer, then you just don't have an "interface dialer0" and your tunnel-interface has to be adjusted to the right tunnel-source. For example on the HQ:

interface Tunnel0

ip address 10.255.255.0 255.255.255.254

tunnel source gig0/0

tunnel destination [REMOTE WAN]

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

With the "ip route" you control which traffic goes through te tunnel. If you only have one network pointing to tze tunnel-interface, then the rest is routed directly to the interface.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Dinesh Moudgil · ‎11-24-2013

Hi Jonathan,

Can you please confirm you have same phase 1 policies on both the sides.

Looking at the configuration , it seems like the encryption parameter and DH group is missing.

Please configure the following on both the sides and see if it helps:

crypto isakmp policy 10

encryption 3des

group 5

hash sha

authentication pre-share

Make sure you have right nat exemption for interesting traffic and route pointing to default gateway.

Hope that helps.

Regards,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

jmmeisner · ‎11-24-2013

Thank you for your reply Dinesh! I did try to add the encryption parameter and DH group to both sides. it seems "hash sha" might be a default because it doesn't show up in the configuration after I enter it.

I have been doing a lot of research and spoken to a few cisco resources who I know. Haven't had much success.

The error I get is "No peer struct to get peer description" which from everything I read relates to the access-list being wrong. In this case, access-list 175...which appears to be correct to me.

I did a test and added "access-list 175 permit ip any any" to both sides as I read someone having a similar issue tried and amazingly enough, the session started up and I was able to ping across it. Unfortunately I lost internet connectivity on both ends at the same time. This seemed like a hack anyway, but I thought it was worth mentioning.

As I am still working on this issue, I'm reading about making a tunnel. Maybe I need to go that route? Basically, I need the satellite office to be able to access the fileserver in the main office as well as use another piece of software that connects back to our SQL server. Both sides need to use their own internet connections for all other activity.

The following is the configurations from both routers. I appreciate any insight you might have to offer. Maybe I'm going about this wrong. As a last note, I'm using ADVSECURITY-K9 ios on both ends if I haven't mentioned that previously.

Thanks!

--

Router 1 - Main Office

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key vpnkey address [router 2 public ip]

!

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

!

crypto map dti 10 ipsec-isakmp

set peer [router 2 public ip]

set transform-set vpnset

match address 175

!

interface GigabitEthernet0/0

description COX WAN2

ip address [router 1 public ip] 255.255.255.224

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1360

duplex auto

speed auto

crypto map dti

!

interface GigabitEthernet0/1

description LAN

ip address 192.168.168.35 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1360

duplex auto

speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 [router 1 gateway]

ip route 10.0.0.0 255.255.255.0 GigabitEthernet0/0

!

access-list 101 deny ip 192.168.168.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 192.168.168.0 0.0.0.255 any

access-list 175 permit ip 192.168.168.0 0.0.0.255 10.0.0.0 0.0.0.255

-------------------------------------------

router 2 - Satellite Office

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key vpnkey address [router 1 public ip]

!

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

!

crypto map dti 10 ipsec-isakmp

set peer [router 1 public ip]

set transform-set vpnset

match address 175

!

interface GigabitEthernet0/0

description external WAN interface

ip address [router 2 public ip] 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

media-type rj45

no cdp enable

crypto map dti

!

interface GigabitEthernet0/1

description internal LAN interface

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no cdp enable

!

no ip classless

ip forward-protocol nd

!

no ip http server

ip http secure-server

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 [router 2 gateway]

ip route 192.168.168.0 255.255.255.0 GigabitEthernet0/0

!

access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 175 permit ip 10.0.0.0 0.0.0.255 192.168.168.0 0.0.0.255

Karsten Iwen · ‎11-24-2013

The vpn-config looks correct. Only the static routes for the remote subnets pointing to your local interface is probably wrong. Remove that first or set the next-hop to the GW and then test again.
And upgrade the IOS on the main-site. 15.1(4)M1 showed also for me very strange symptoms.

Karsten Iwen · ‎11-24-2013

With IOS routers you can follow the example I just posted in another thread:
https://supportforums.cisco.com/message/4100819#4100819

Using IPSec tunnel interfaces is much easier then using crypto maps.

Sent from Cisco Technical Support iPad App

jmmeisner · ‎11-26-2013

I'm still having trouble with this. Considering using your example with IPSec tunnell interfaces. I'm confused though, you have the WAN ip address on the Dialer0 in your config. I have the WAN on our GigabitEthernet0/0 and they conflict.

My goal is to have each side use their own internet connection for all traffic except the tunnel to go to each other's LAN for filesharing etc.

Below is the proposed config. Thank you so much for your time.

-------------------

HQ Router

-------------------

crypto isakmp policy 10

encr aes 256

auth pre

group 5

!

crypto isakmp key cisco1234 address [REMOTE WAN]

!

crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile TunnelProfile

set transform ESP-AES256-SHA1

!

interface Tunnel0

ip address 10.255.255.0 255.255.255.254

tunnel source Dialer 0

tunnel destination [REMOTE WAN]

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

!

interface GigabitEthernet0/0

description external WAN interface

ip address [HQ WAN] 255.255.255.224

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1360

duplex auto

speed auto

!

interface GigabitEthernet0/1

description internal LAN interface

ip address 192.168.168.35 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1360

duplex auto

speed auto

!

interface Dialer0

ip address [HQ WAN] 255.255.255.224

!

ip route 10.0.0.0 255.255.255.0 Tunnel0

*******************************************************************************************

-------------------------

Remote Router

-------------------------

crypto isakmp policy 10

encr aes 256

auth pre

group 5

!

crypto isakmp key cisco1234 address [HQ WAN]

!

crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile TunnelProfile

set transform ESP-AES256-SHA1

!

interface Tunnel0

ip address 10.255.255.1 255.255.255.254

tunnel source Dialer 0

tunnel destination [HQ WAN]

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

!

interface GigabitEthernet0/0

description external WAN interface

ip address [REMOTE WAN] 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

media-type rj45

no cdp enable

!

interface GigabitEthernet0/1

description internal LAN interface

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no cdp enable

!

interface Dialer0

ip address [REMOTE WAN] 255.255.255.252

!

ip route 192.168.168.0 255.255.255.0 Tunnel0

Karsten Iwen · ‎11-26-2013

If you WAN-interface is a physical interface and not a logical dialer, then you just don't have an "interface dialer0" and your tunnel-interface has to be adjusted to the right tunnel-source. For example on the HQ:

interface Tunnel0

ip address 10.255.255.0 255.255.255.254

tunnel source gig0/0

tunnel destination [REMOTE WAN]

tunnel mode ipsec ipv4

tunnel protection ipsec profile TunnelProfile

With the "ip route" you control which traffic goes through te tunnel. If you only have one network pointing to tze tunnel-interface, then the rest is routed directly to the interface.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jmmeisner · ‎02-16-2014

After months of trying to deal with the crypto maps, hours and hours of research, and a lot of trouble in between...I went with the IPSec tunnel interface as you suggested. WHICH WORKED PERFECTLY THE FIRST TRY!

I can't thank you enough for your help. One last question, is there any downside to using the IPSec tunnel vs. the crypto map? I can't find any. Just curious.

THANKS!!